Monday, October 3, 2011

Some of you may already be familiar with "God Mode" in windows 7. It was a special tool which the Windows developer team left for their sake to make enabling and disabling several of Windows functions quick and easy. However there are more than one of these, I have found 39 and will show you how to access them and also provide a script to do that. It should be noted that these are for Windows 7 and will not work on windows XP (although there are some GUID tricks there to, these just aren't them). The default God Mode was to add ".{ED7BA470-8E54-465E-825C-99712043E01C}" to the end of a folder. So for example if you create a folder titled "Main GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" it would create a folder called "Main GodMode" which when double-clicked would give you what you see below instead of an empty folder.

However, this is just another parlor trick by the windows explorer. Looking at it from the command line and you will see it's still just a folder, But windows handles it differently.

Looking into the Windows Registry, you can see it is actually accessing a DLL Function in the shell32.dll file in the system32 folder.

With some searching I was able to create a batch file script that will create these "Modules". The script will create a folder in where every it is run called "GodModes" then create 39 known God Mode folders under it for you to use, which gives you a decent "this is what the Control Panel should have been" Folder.

Friday, September 2, 2011

Today we are going to look into how to get a WPA\WPA2 keys 4-way handshake from a client using Airbase-ng without them being connected or near their access point. This is useful as a lot of machines will throw beacon probes out for old access points they've connected to (you will see them while running airodump-ng at the bottom right). This means it is looking for that Access Point and wants to connect to it. What we will do with Airbase-ng is pretend we are that access point and let it attempt to connect to us.

So for this tutorial I will be using:- One Attacker Box running BackTrack 5- One laptop running XP or 7 pre-configured to connect to a SSID of linksys with a WPA2 key set

Step 1: Going in to Monitor Mode

With that said let's first get things setup on the hacking machine by setting our wireless card into monitor mode using airmon-ng. since my wireless interface is "wlan0" I would use the command "airmon-ng start wlan0". This will give us a virtual interface called "mon0" which is in monitor mode

Step 2a: Setting up the fake AP (Single Known Target Method)

Use this method if you know the Targets AP ESSID or you only want to attack that one; otherwise use Step 2b instead but still read this section to get a better understanding first. Next let's taking a moment to look at the help options for airbase-ng, pictured below.

So now let's set up our options here. For this attack I'm going to use the following command.(Note: This is case sensitive so pay close attention to this)

So, basically this command will set up mon0 to listen and answer (-i mon0 mon0) as a WPA2-TKIP access Point (-Z 2) running on channel 1 (-c 1) with the SSID of linksys (--essid linksys) and log all packets to a log file on the desktop (-F ./Desktop/WPA-attack.cap).

Above is a console picture of it in action. As you can see in the last 3 lines the machine is attempting to authenicate to our fake AP, once you see this line once it is safe to open another terminal and try to open the pcap file (in my case ./Desktop/WPA-attack.cap-01.cap) with aircrack-ng to confirm you got a handshake.

So on this note, we see we got a handshake!

Step 2b: Setting up the fake AP (Unknown Target Method)

Warning: This method will attempt to attack every probe it sees! if you didn't know the ESSID of the client or just wanted to attack everyone in the area (airport or coffee shop anyone?) use this type of command.

airbase-ng -P -C 500 -Z 2 -c 1 -i mon0 -F ./Desktop/Probe_hits mon0

It's Pretty much the same as the one from step 2 expect instead of using "--essid linksys" we used "-P -C 500" (case sensitive. So note they are uppercase switches)

With this approach I changed the victims wireless connection settings from linksys to "testing" as you can see it found it, repeated it, and allow the client to connect. Thus also getting the handshake same as above.

Step 3a: Cracking it with Cowpatty and rainbow tables

This is my preferred method of cracking WPA/WPA2. However Cowpatty (even the install on backtrack) will by default not detect the 4-way handshake obtained with these methods unless you patch it. You can patch it with an article I wrote on how to do this step-by-step or via a script that I coded for that, both of which can be found here. With Cowpatty patch just use the following command:

In this command the -r points cowpatty to the Capture file with the handshake. The -s is used to indicate the ESSID to the program. Finally, the -d points to my rainbow table for this SSID. If you need rainbow tables for Cowpatty the I recommend you checkout the church of WiFi set from renderlabs webpage as they have a free set containing 33GB of tables made from the top 1,000 SSIDs seen on WiGLE (Wireless Geographic Logging Engine) which is a community for wardrivers to upload their GPS wardriving data and mapped on the site for all to see.

If that image isn't encourgement to get your rainbow tables I don't know what is. Cracked after 395,442 try in about 2.5 seconds!!! So worth the download and space to keep these handy. If the SSID is one not in the kit you can make it following this post here.

Step 3b: Cracking it with aircrack-ng using a Dictionary

In this attack we will use Aircrack-ng with a the default dictionary that comes with BackTrack (located under /pentest/password/wordlist/darkc0de.lst). This is just to show you a second method and give you something to compare the time difference on rainbow table vs. dictionary attacks. To run it just do the following:

On mine it was number two but just hit the number next to the network with the handshake you are attacking. You should see it start to run the attack.

As you can see this worked too but it took 16 mins instead of 2 seconds. Whichever method is easier for you, that's the one to use. Hope this helps some people, if you have any questions feel free to leave a question in the comments area.

Tuesday, August 23, 2011

So I recently need to automate this process as it had to be done on over 30 machines and I'm lazy and if I have more than once it's getting automated. This thing will get DVWA (Damn Vulnerable Web App) download, unzipped, upload in your web root, configured, and start apache and mysql, setup the mysql database with the DVWA data in ~30-45 seconds.

Thursday, July 14, 2011

The following is a script I coded to simplify the ease of use for using msfpayload and msfencode to create a windows based trojan and set up the listener. Let's face it, scripting is faster and easier. Also insures it is uniform and automated.

The script will do the following:

Determine your IP address automatically for the LHOST of the payload.

Ask if you want a shell or meterpreter

Ask if you want it reverse connection or Bind port TCP

Request the Port number.

at that point it will create two files

trojan.exe - your virus payload

msf_Trojan_Listener - a file with a one liner to create the metasploit listener that works with your payload.

Wednesday, June 22, 2011

UPDATE:This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

So, to generate a rainbow table we need to provide a dictionary, an SSID, and a output file for it to write the hashes. so using the above we can do the following

genpmk -f final-wordlist.txt -s HackMe -d HackMe

This will make it create a Rainbow table called "HackMe" which will contain hashes of all the passwords in the file "final-wordlist.txt" salted with the SSID "HackMe". The output of the shell should update as every 1,000 hashes are created.

The whole process isn't actually all that bad for time and the file size for a rainbow table using the password file I suggest is ~40 MB. Not to bad considering the speed boost it will give when you go to crack it.

Cowpatty is a great tool for cracking WPA/WPA2 keys via either a dictionary attack or via rainbow tables. All it needs to see it a client connect to the network (this is called a "handshake"). However cowpatty isn't perfect and has a problem with reading handshakes incorrectly. After looking into this I found a way to install it with the patch on my Ubuntu box.

First we need to download the required files. If you already have them you can skip them.

Line 1 : Removes OpenJDK from your machineLine 2-3: Allows you to use the partner repository which has the sun packages and updates aptLine 4-5: Installs the needed files needed for the Sun JRE to runLine 6 : Tells your system to only use the sun java binaries.

Tuesday, February 8, 2011

So, Ubuntu decided to hop on the Apple bandwagon and move the buttons at the top of the window for close, minimize, maximize to the left. This annoyed me to no ends. So after some searching I found this simple one liner!